Posted by: David Harley | September 2, 2015

Support scams: old dog, new teeth

Further to the tech support scam issues with OS X and iOS that I flagged here, here and here, I recently included some information on those and many other recent support scam trends in an article for ESET on Support scams, malware and mindgames without frontiers. The article concerns the expansion of tech support scamming across platforms and into languages other than English, as well as scam activity associated with real malware.

Unfortunately, there’s life in this rabid old dog yet. I’m referring to the scamming, not me. This is an attack whose scope, evolution and impact is still underestimated.

David Harley

Posted by: David Harley | August 4, 2015

Taking a pop at Safari pop-ups

You may have noticed that there have been several issues recently concerning pop-ups and malicious scripts affecting Safari users. In fact, I received email today about a ‘nuisance pop-up’ called that had apparently made Safari unusable for a family member.

I don’t have any information about, but Mac users with a similar problem might well find the information in Thomas Reed’s article at The Safe Mac on Tech support scam pop-ups useful, especially that relating to ‘Getting rid of the message’ in Safari, Chrome and Firefox.

An unrelated article on A Browser Pop-up has Taken Over Safari has some of the same information and might also be useful, also for iOS device users. It mentions a Safari extension for Macs called ScamZapper. I don’t have any further information on it at present: if anyone has experience of it, feel free to drop me a line via the contact form.

David Harley

Posted by: David Harley | August 4, 2015

Thunderstrikes twice…

There seems to be plenty of advance publicity around for the forthcoming briefing at Black Hat by Trammell Hudson, Xeno Kovah, and Corey Kallenberg on the updated Thunderstrike – see the abstract Thunderstrike 2: Sith Strike.

Randy Knobloch brought to my attention a comprehensive Wired article Researchers Create First Firmware Worm That Attacks Macs by Kim Zetter, making the apposite point that:

“People hear about attacks on PCs and they assume that Apple firmware is better,” Kovah says. “So we’re trying to make it clear that any time you hear about EFI firmware attacks, it’s pretty much all x86 [computers].”

Graham Cluley, for Intego, suggests that Thunderstrike 2 Firmware Worm Proves Apple Needs a Bug Bounty, while Ars Technica comments that “Thunderstrike 2” rootkit uses Thunderbolt accessories to infect Mac firmware: New version of the exploit can spread via e-mail and infected Web sites.

David Harley

Posted by: David Harley | August 4, 2015


More on the Yosemite 0-day mentioned here, now appearing in an exploit near you….

  • Thomas Reed explains on behalf of Malwarebytes, whose Adam Thomas “discovered a new adware installer, and while testing it, he discovered something very strange: his sudoers file had been modified!” about the DYLD_PRINT_TO_FILE exploit found in the wild. As Thomas points out:
    …there is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest.

The good news is that anti-malware seems to be detecting samples making use of the exploit already.

David Harley


Posted by: David Harley | July 23, 2015

Yosemite 0-Day: vendor and researcher ethics

This article by Chris Williams for The Register on Get root on an OS X 10.10 Mac: The exploit is so trivial it fits in a tweet appeared yesterday, and does a reasonable job of describing what the problem is.

Today’s blog by Graham Cluley for Intego – Apple Criticised for Not Patching OS X Yosemite Zero-Day Vulnerability is rather more analytical in terms of ethical considerations: not only the ethics of responsible disclosure, but also the assertion that Apple has fixed the bug in the beta of the forthcoming El Capitan, but hasn’t backported it to Yosemite.

David Harley

Posted by: David Harley | July 23, 2015

AV-Comparatives Mac Product test

AV-Comparatives has released its 2015 OS X review/test report, comparing 10 products. Its remit is far wider than the malware protection test (consisting of 105 samples that OS X Yosemite doesn’t or didn’t block), including:

  • Operating systems supported
  • Additional features  a firewall or anti-phishing capability
  • Installation/deinstallation options and issues.
  • Interface aspects and issues
  • Operating system integration
  • Whether a user with a standard user account can disable the protection.
  • Scanning options
  • The quality of the help facilities.

Unusually, the type of alert shown when the EICAR test file and various features on the AMTSO Security Features pages are accessed.

On a quick scan, it looks like AV-Comparatives has done its usual thorough job.

David Harley

Posted by: David Harley | July 17, 2015

Malwarebytes for Mac

I note with some interest the launch of Malwarebytes Anti-Malware for Mac, as announced in an article by John Leyden for The Register. Interesting, too, to read that the company has brought on board Thomas Reed and his AdwareMedic program. I know one or two of the guys over at Malwarebytes, and they’re knowledgeable people with a useful product.

However, I have to take issue with the following:

According to a June 2015 OPSWAT report, only half of Mac users have antivirus protection, and that protection does not typically detect adware. In the last two years, there has been a proliferation of new adware – including Genieo, Conduit, and VSearch…

I’m not sure where that assertion that Mac AV doesn’t typically detect adware comes from (an OPSWAT test, maybe?), but it’s misleading at best. All three of the examples of adware cited here are known to at least one AV company, or are listed as such on its website. ;) It may be that Malwarebytes has better detection of Mac adware than some or all AV products – I’m not in a position to test, but that’s one of the strengths of the Windows product – but that’s rather different.

David Harley

Posted by: David Harley | July 17, 2015

A bit more on iOS support scams

Since my last couple of articles here have been about support scams using Safari (especially) to deliver fake alerts on OS X and iOS devices, I should also mention an article by Sean of F-Secure that points out that disabling pop-ups using Safari’s pop-up blocking  [Settings -> Safari -> Block Pop-ups] and/or fraudulent website warning won’t fix the problem, or at any rate doesn’t work against the example described in the article. The article says that this is because in F-Secure’s examples, the pop-up is not actually a pop-up but a JavaScript-generated dialog.

Actually, JavaScript can be used to generate pop-ups, but I guess that isn’t the same thing. Anyway, the essential point is that Block Pop-ups doesn’t work here, apparently. (Sorry, I’m not in a position to check, but F-Secure doesn’t usually get this sort of thing wrong.) The Apple article cited by The Telegraph as well as F-Secure does include a note on disabling JavaScript via Settings > Safari > Advanced but as Sean rightly points out, while this is a quick way of regaining control of a pop-up-pestered iGadget, leaving it disabled will probably impact your browsing experience on some legitimate sites.

Did I mention that I maintain a collection of links to tech support scam information on the AVIEN blog? These articles are being added to that page as I go along.

David Harley


Posted by: David Harley | July 16, 2015

iOS Support Scams

A new blog by Graham Cluley for Intego actually has some points in common with my most recent blog here (which also involved pop-ups misused by support scammers, particularly in the context of Safari). However, Graham’s article is about iOS, whereas mine related to questions asked regarding OS X and Safari (citing advice from Thomas Reed that also addressed other browsers).

The Intego blog takes as a starting point an article in the Telegraph by  that explains how:

Users are reporting fake crash reports demanding payment in order to fix their Apple devices

These variations of the scam continue the trend away from direct cold-calling and towards tricking the victim into initiating the phone conversation with ‘iOS crash reports’ requiring the victim to call ‘Apple technical support’ at a number given in the pop-up message.

The Telegraph article focuses on reports from the UK, but Graham has found reports from North America  going back to last September if not earlier.

According to a variety of resources, this will get rid of a persistent pop-up of this type:

  • Put the device into Airplane mode.
  • Go to Settings > Safari> Clear History and Website Data.
  • Reopen Safari. Turn off Airplane mode.

Graham also offers a quick guide to blocking pop-ups proactively. Apple suggests a number of proactive measures worth considering. But the first thing to remember is not to ring that number.

I maintain a collection of links to tech support scam information on the AVIEN blog.

David Harley

Posted by: David Harley | July 14, 2015

Support scams

…not a topic we discuss much here, as support scammers tend to focus on Windows users, though I have addressed it occasionally:

However, I found a comment on this site today from someone about pop-ups they were seeing on Safari “saying that my computer has a virus and i need to call a certain number to get it removed”. (I’ve already responded to the comment, by the way.)

I can’t offer one-to-one tech support, I’m afraid – my days in Mac and PC support are long behind me – and I’m not generally in favour of trying to offer a one-size-fits-all solution for the benefit of anyone checking this site. There are too many sites offering various kinds of advice to users that in some circumstances might actually make things worse, and since I don’t want to fall into that trap, I try to avoid offering generalist advice that I’m not in a position to test exhaustively.

That said, Thomas Reed’s The Safe Mac site features generally sound commentary and advice page and has an article here that specifically addresses pop-up scam ‘virus alerts’ targeting Mac users, and if you’re seeing something like this, his advice on how to get rid of a scam message may work for you. I’ve had a few conversations with Thomas regarding malware in the past couple of years, and he seems pretty well-informed. There are also lots of comments worth reading from other victims, and Thomas is pretty good at responding to them.

While it doesn’t specifically talk about support scams, Apple has a page here that might be helpful in terms of dealing with other ad-injection software issues.

I maintain a collection of links to tech support scam information on the AVIEN blog.

David Harley

Older Posts »



Get every new post delivered to your Inbox.

Join 51 other followers